Prescriptive Rules to Compel Advisers and Funds to Report and Disclose Cybersecurity Breaches

By James Delaney, Director, Asset Management Regulation, AIMA

Published: 19 April 2022

Cyber incidents remain a serious threat to the financial system and are rapidly growing in frequency and sophistication.  Enhancing cyber resilience in the financial services sector is a key element of regulators' agendas resultingly.

At the tail-end of last year, the SEC sanctioned eight firms for deficient cybersecurity procedures, cybersecurity disclosure control failures and misleading investors about a serious cyber breach.  Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit, who will be speaking at AIMA's inaugural CyberTech Forum on April 20, remarked at the time that "it is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented."

Earlier this year, the SEC issued a proposed rule on cybersecurity risk management for registered investment advisers, registered investment companies and business development companies.  The proposed rule would require written cybersecurity policies and procedures, reporting of significant cybersecurity incidents to the SEC, public disclosure of cybersecurity risks and significant cybersecurity incidents, as well as new recordkeeping requirements for advisers and funds.  With these regulatory changes, more intense scrutiny of the cyber and operational resilience capabilities of investment managers will become commonplace.  AIMA recently published its latest guide to sound practices for cybersecurity, which sets out principles that an investment manager should consider when developing a cybersecurity program (available to members here).

Separately, the SEC has also proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.  The SEC has determined that investors are increasingly seeking information about how issuers are managing cybersecurity risks, which can affect their investment decisions and returns.  

Information security and operational resilience were also once again highlighted as priorities by the SEC's Division of Examinations, which confirmed that, this year, they will be reviewing registrants' business continuity and disaster recovery plans, with a particular focus on substantial disruptions to normal business operations.  Last year, AIMA updated its guide to sound practices for business continuity management (available to members here).

New rules in the U.S. have also been reflected across the pond with the EU's proposed regulation on Digital Operational Resilience Act, the Central Bank of Ireland's cross-industry guidance on operational resilience and in the UK with the FCA's new requirements to strengthen operational resilience in the financial services sector.

AIMA has been engaging with agencies and authorities on these various regulatory proposals and has recently worked with members to submit a response to the SEC on its advisers and funds cybersecurity proposed rule.  We will continue to engage with the SEC and also monitor any developments in other jurisdictions that may impact our members.

If you would like to stay informed of cyber and operational resilience developments or would like to join our dedicated Cyber and Technology peer groups, please contact James Delaney.